Alexandre David Gerd Behrmann, Kim G. Larsen, Wang Yi Paul ...afsec.asr.cnrs.fr › wp-content ›...

Peeling the Layers of UPPAALFrom a User’s Perspective to the Engine

Alexandre DavidGerd Behrmann, Kim G. Larsen, Wang Yi

Paul Pettersson, Didier Lime, …

18-11-2010 AFSEC 2

Model-CheckingReal-time systems:

Systems where correctness depends on the logical order of events and on their timings!… in addition to correct computation.

Real Time Model-checking:Model the environment + the tasks.Model φ? Automated proof.

PlantContinuous

Controller ProgramDiscrete

sensors

actuators

18-11-2010 AFSEC 3

Controller SynthesisController synthesis:

Model the environment + what a controller can do.Generate the controller so that controller φ!Generate the right code automatically.2-player timed game:environment moves vs.controller moves.⇒ Timed Game Automata.

PlantContinuous

Controller ProgramDiscrete

sensors

actuators

?

18-11-2010 AFSEC 4

Refinement

I/O Automata used to model specifications.Check for refinement between models.Combine specifications with operators.

Specifications/Implementations

Specifications

Refine?Implement?

18-11-2010 AFSEC 5

OverviewPart 1: Model-checking with UPPAAL.

Part 2: Controller synthesis withUPPAAL-TIGA.

Part 3: Compositional verification with ECDAR.

18-11-2010 AFSEC 6

Part 1 - OverviewTool OverviewModelling LanguageSpecification LanguageVerification EngineImplementationVerification OptionsModelling Patterns

Tool Overview

18-11-2010 AFSEC 8

Model-Checking - Overview

Requirements: invariant/safety (something bad never happens), liveness (something good eventually happens).Good: intuitive formalism, press-button technology.Bad: state-space explosion – how to fight it?

Model: network of TA

ϕSpecification: formulain TCTL

UPPAAL

YES

NO

+ sometrace

+ sometrace

18-11-2010 AFSEC 9

510

2025

Unsafe Side Safe Side

If possible find schedule for all four men to reach safe side in 60 min.

lamp

night

damaged bride (max 2 men) with mines

Application to Scheduling

18-11-2010 AFSEC 10

Can be modeled and solved with timed automata in UPPAAL.

UNSAFE SAFE

5 10 20 25

Mines

Bridge Example

18-11-2010 AFSEC 11

Toolkit Overview

Modeling

Simulation

Verification

TA + LSC editor TA + MSC(+Gantt chart)

18-11-2010 AFSEC 12

Architecture

Local or remote

Linux, Windows, MacOS

Modelling Language

18-11-2010 AFSEC 14

TA in a Nutshell

off

low

highx≤5

x>5

x=0

use

push!

push?

push?

push?

push?x≤1000

x≤1000

x==1000

x==1000

x=0

18-11-2010 AFSEC 15

Timed Automata with Invariantsshake-hand and broadcast communication,urgent action channels,urgent and committed locations,data-variables (with bounded domains),arrays of data-variables, constants, guards and assignments over data-variables and arrays…,templates with local clocks, data-variables, and

constants.C subset

Timed Automata in UPPAAL

18-11-2010 AFSEC 16

Modeling LanguageNetwork of TA = instances of templates

argument const type expressionargument type& name

Typesbuilt-in types: int, int[min,max], bool, arraystypedef struct { … } nametypedef built-in-type name

FunctionsC-style syntax, no pointer but references OK.

Selectname : type

+scalar sets

18-11-2010 AFSEC 17

Operators (not clocks): Logical:

&& (logical and), || (logical or), ! (logical negation), Bitwise:

^ (xor), & (bitwise and), | (bitwise or), Bit shift:

<< (left), >> (right) Numerical:

% (modulo), ? (max) Assignments:

+=, -=, *=, /=, ^=, <<=, >>=, := Prefix and postfix:

++ (increment), -- (decrement) Quantifiers: forall, exists.Min & max: a <? b, a >? b.Sums: sum.

More on Expressions

18-11-2010 AFSEC 18

Un-timed Example: Jugs

Scalable, compact, & readable model.const int N = 2; typedef int[0,N-1] id_t;Jugs have their own id.Actions = functions.Pour: from id to another k different from id.

Jugs

2 5

Actions:•fill•empty•pour

Goal: obtain 1 unit.

Jug(const id_t id)

18-11-2010 AFSEC 19

Jugs cont.Jug levels & capacities:int level[N];const int capa[N] = {2,5};

void empty(id_t i) { level[i]=0; }

void fill(id_t i) { level[i] = capa[i]; }

void pour(id_t i, id_t j){

int max = capa[j] - level[j];int poured = level[i] <? max;level[i] -= poured;level[j] += poured;

}

Auto-instantiation: system Jug;

18-11-2010 AFSEC 20

Train-Gate Crossing

River

Crossing

StopableArea

[10,20]

[7,15]

[3,5]

18-11-2010 AFSEC 21

Train-Gate Modeling

Scale the model:const int N = 6; typedef int[0,N-1] id_t;

Trains have their local clocks.The gate has its local list & functions.

Train(const id_t id)

N trains...Gate

controller

list enqueue()dequeue()front()

Communication via channels.chan appr[N], stop[N], leave[N];urgent chan go[N];

18-11-2010 AFSEC 22

Train-Gate Crossing

River

Crossing

StopableArea

[10,20]

[7,15]

[3,5]

appr[id]! leave[id]!

stop[id]? go[id]?

18-11-2010 AFSEC 23

Implementation of the Queueid_t list[N+1];int[0,N] len;

id_t front() { return list[0]; }id_t tail() { return list[len - 1]; }void enqueue(id_t element) { list[len++] = element; }

void dequeue(){

int i = 0;len -= 1;while (i < len){

list[i] = list[i + 1];i++;

}list[i] = 0;

}

18-11-2010 AFSEC 24

Scalar SetsUse: typedef scalar[N] setA;

defines a set of N scalars,typedef scalar[N] setB;defines another set of N scalars,it is very important to use the typedef.chan a[setA]; is an array of channels ranging over a scalar set – similarly for other types.limited operations to keep scalars symmetric.

A way to specify symmetries in the model.UPPAAL uses symmetry reduction automatically.Reduction: Project the current state to a representative of its equivalence class (w.r.t. symmetry).

Specification Language

18-11-2010 AFSEC 26

Logical SpecificationsValidation Properties

Possibly: E<> PSafety Properties

Invariant: A[] PPos. Inv.: E[] P

Liveness PropertiesEventually: A<> PLeadsto: P Q

Bounded LivenessLeads to within:P ≤t Q

The expressions P and Q must be type safe, side effect free, and evaluate to a boolean.

Only references to integer variables, constants, clocks, and locations are allowed (and arrays of these).

18-11-2010 AFSEC 27


Possibly: E<> P

Safety PropertiesInvariant: A[] PPos. Inv.: E[] P



18-11-2010 AFSEC 28


Possibly: E<> P




18-11-2010 AFSEC 29


Possibly: E<> P




18-11-2010 AFSEC 30

Logical Specifications

≤ t

≤ t

Validation PropertiesPossibly: E<> P




18-11-2010 AFSEC 31

Jug ExampleSafety: Never overflow.

A[] forall(i:id_t) level[i] <= capa[i]

Validation/Reachability: How to get 1 unit.E<> exists(i:id_t) level[i] == 1

18-11-2010 AFSEC 32

Train-Gate CrossingSafety: One train crossing.

A[] forall (i : id_t) forall (j : id_t)Train(i).Cross && Train(j).Cross imply i == j

Liveness: Approaching trains eventually cross.

Train(0).Appr --> Train(0).CrossTrain(1).Appr --> Train(1).Cross…

No deadlock.A[] not deadlock

UPPAAL Verification Engine

18-11-2010 AFSEC 34

OutlineSymbolic Exploration with ZonesDifference Bound Matrices

Operations

Reachability AlgorithmLiveness Algorithm

18-11-2010 AFSEC 35

Zones in a NutshellFrom Infinite to Finite

State(n, x=3.2, y=2.5 )

x

y

x

y

Symbolic state (set)

Zone:conjunction ofx-y<=n,x<=n,x>=n

(n, 1 ≤ x ≤ 4, 1 ≤ y ≤ 3)

18-11-2010 AFSEC 36

Symbolic Transitions

n

m

x>3

y:=0

delays to

conjuncts to

projects to

x

y1 ≤ x ≤ 41 ≤ y ≤ 3

x

y1 ≤ x, 1 ≤ y-2 ≤ x-y ≤ 3

x

y 3 < x, 1 ≤ y-2 ≤ x-y ≤ 3

3 < x, y=0

x

y

Thus (n, 1 ≤ x ≤ 4, 1 ≤ y ≤ 3) →a (m,3 < x, y=0)Thus (n, 1 ≤ x ≤ 4, 1 ≤ y ≤ 3) →a (m,3 < x, y=0)

a

18-11-2010 AFSEC 37

Symbolic Exploration

Reachable?

x

y

18-11-2010 AFSEC 38


Reachable?

x

y

Delay

18-11-2010 AFSEC 39


Reachable?

x

y

Left

18-11-2010 AFSEC 40


Reachable?

x

y

Left

18-11-2010 AFSEC 41


Reachable?

x

y

Delay

18-11-2010 AFSEC 42


Reachable?

x

y

Left

18-11-2010 AFSEC 43


Reachable?

x

y

Left

18-11-2010 AFSEC 44


Reachable?

x

y

Delay

18-11-2010 AFSEC 45


Reachable?

x

y

Down

The simulator shows yousymbolic states!

18-11-2010 AFSEC 46

A zone Z is a conjunctive formula:g1 & g2 & ... & gn

where gi is a clock constraint:xi ~ bi or xi-xj~bij

Use a zero-clock x0 (constant 0)A zone can be re-written as a set:

{xi-xj ~ bij | ~ is < or ≤, i,j≤n}This can be represented as a MATRIX, DBM(Difference Bound Matrices)

Zones = Conjunctive Constraints

18-11-2010 AFSEC 47

Let Z be a zone (a set of constraints)

Let [Z]={ u | u is a solution of Z }The semantics

(We write Z instead [Z] )

Solution Set as Semantics

18-11-2010 AFSEC 48

Strongest post-condition (Delay): SP(Z) or Z↑[Z↑] = {u+d| d ∈ R, u∈[Z]}

Weakest pre-condition: WP(Z) or Z↓ (the dual of Z↑)[Z↓] = {u| u+d∈[Z] for some d∈R}

Reset: {x}Z or Z(x:=0)[{x}Z] = {u[0/x] | u ∈[Z]}

Conjunction[Z&g]= [Z]∩[g]

Operations on Zones

18-11-2010 AFSEC 49

The set of zones is closed under all constraint operations (including x:=x-c or x:=x+c)That is, the result of the operations on a zone is a zoneThat is, there will be a zone (a finite objecti.e a zone/constraints) to represent the sets: [Z↑], [Z↓], [{x}Z]

Theorem on Zones

18-11-2010 AFSEC 50

One-Step Seachability: Si Sj

Delay: (n,Z) (n,Z’) where Z’= Z↑ ∧ inv(n)

Action: (n,Z) (m,Z’) where Z’= {x}(Z ∧g)

Successors(n,Z)={(m,Z’) |(n,Z) (m,Z’), Z’≠Ø}

Sometime we write: (n,Z) (m,Z’) if (m,Z’) is a successor of (n,Z)

n mg x:=0

if

18-11-2010 AFSEC 51

Implementation:Difference Bound Matrices

x2-x2<=0x2-x1<=1x2-x0<=5

x1-x2<=3x1-x1<=0x1-x0<=6

x0-x2<=-1x0-x1<=-2x0-x0<=0

xi-xj<=cij

x1

x2

Zone

18-11-2010 AFSEC 52

Difference Bound Matrices

x2-x2<=0x2-x1<=3x2-x0<=5

x1-x2<=3x1-x1<=0x1-x0<=6

x0-x2<=-1x0-x1<=-2x0-x0<=0

xi-xj<=cij

x1

x2 Canonical representation:All constraints as tight as possible.Needed for inclusion checking.→ Unique DBM to represent a zone.

x2-x1<=5 ?x2-x1<=4 ?

18-11-2010 AFSEC 53

DBMsHow to make them canonical:Floyd-Warshall algorithm.for k in 1..dim dofor i in 1..dim dofor j in 1..dim dodbm[i,j] = min(dbm[i,j],dbm[i,k]+dbm[k,j])

Why?Inclusion checking.Unique representation per zone – storage.Note 1: The algorithm leaves negative values on the diagonal for empty zones.Note 2: DBMs can also be seen as graphs.

18-11-2010 AFSEC 54

DBMsFuture:for i in 2..dim do

dbm[i,1] = infinity

Constrain (tighten bounds):if old[i,j] ≥ newi,j then

old[i,j] = newi,jfloyddim(i,j,old)

Reset:dbm[k,0] = (≤value)dbm[0,k] = (≤-value)for i in 1..dim do

dbm[k,i] = dbm[k,0] + dbm[0,i]dbm[i,k] = dbm[i,0] + dbm[0,k]

More in the DBM library.Important: Preserve canonicity.

18-11-2010 AFSEC 55

(The DBM Library

DBM library (GPL).federations,subtractions,merge.

Ruby binding (GPL).UTAP (UPPAAL TA Parser) library (LGPL).

syntax of UPPAAL,canonical TA representation.

http://www.cs.aau.dk/~adavid/UDBM/

http://www.cs.aau.dk/~behrmann/utap/

18-11-2010 AFSEC 56

DBM Library - Overview

C APIBasic functions.

C++ APIHigh level types.

Ruby (udbm)Fed wrapper.

Ruby (udbm-gtk)Graphical viewer.

Ruby (udbm-sys)High level abstraction.

Ruby(nice & intuitiveobject orientedinterpreted language)

C/C++

18-11-2010 AFSEC 57

C/C++ APIBasic functions: delay, constrain, intersection, minimal graph, relation… all basic operations.High level types: dbm_t and fed_t.

Transparent memory management.Copy-on-write semantics (transparent).Support for different merging/reduction algorithms of federations.More complex operators, e.g., subtractions, predt…

18-11-2010 AFSEC 58

Ruby API)Fed wrapper.

All operations of fed_t.Hooks to the graphical viewer (transparent).

High level abstraction.Set to represent a set of clock valuations defined by a system of constraints.Context of Clock(s).

Graphical viewer.Observer for Fed and Set.

Great educational & research tool!

18-11-2010 AFSEC 59

Forward Reachability Algorithm

Passed

Waiting Final

Init

INITIAL Passed := Ø;Waiting := {(n0,Z0)}

REPEATpick (n,Z) in Waitingif (n,Z) = Final return truefor all (n,Z)→(n’,Z’):

if for some (n’,Z’’) Z’⊆ Z’’ continueelse add (n’,Z’) to Waitingmove (n,Z) to Passed

UNTIL Waiting = Øreturn false

Init -> Final ?

PW

18-11-2010 AFSEC 60


Passed

Waiting Final

Init





Init -> Final ?

PW

18-11-2010 AFSEC 61


Passed

Waiting Final

Init





Init -> Final ?

PW

18-11-2010 AFSEC 62


Passed

WaitingFinal?

Init





Init -> Final ?

PW

18-11-2010 AFSEC 63


Passed

Waiting Final

Init





Init -> Final ?

PW

18-11-2010 AFSEC 64


Passed

Waiting Final

Init





Init -> Final ?

PW

18-11-2010 AFSEC 65


Passed

Waiting Final

Init





Init -> Final ?

PW

18-11-2010 AFSEC 66


Passed

Waiting Final

Init





Init -> Final ?

PW

18-11-2010 AFSEC 67

PassedST Unexplored

A} φ

: φ

S

Bouajjani, Tripakis, Yovine, 97Liveness Algorithm

18-11-2010 AFSEC 68

PassedST Unexplored

A} φ

: φ

= ?

Liveness Algorithm

18-11-2010 AFSEC 69

PassedST Unexplored

A} φ

: φ

Liveness Algorithm

18-11-2010 AFSEC 70

PassedST Unexplored

A} φ

: φ

??

Liveness Algorithm

18-11-2010 AFSEC 71

PassedST Unexplored

A} φ

: φ

⊆

??

Liveness Algorithm

18-11-2010 AFSEC 72

PassedST Unexplored

A} φ

: φ

Liveness Algorithm

18-11-2010 AFSEC 73

PassedST Unexplored

A} φ

: φ

Liveness Algorithm

18-11-2010 AFSEC 74

PassedST Unexplored

A} φ

: φ

Liveness Algorithm

Implementation

18-11-2010 AFSEC 76

Outline

Architecture of UPPAALFiltersReachability + liveness + leadsto pipelinesPWList

Other optimizationsActive clock reductionSharingSymmetryReuseVirtual machine

18-11-2010 AFSEC 77

Architecture of UPPAALPipeline architecture

In terms of components and flow of dataNot with parallel processing units

Basic componentsSinkSourceBufferFilter

18-11-2010 AFSEC 78

Pipeline Components

Source

Sink

Filter

State

Successor

Data

Buffer

18-11-2010 AFSEC 79

Reachability Pipeline

Expression

Delay Extrapolation Active clock reduction

Accept? Dealloc

yes

noPWList

TransitionSuccessor

Trace

Initialstate

18-11-2010 AFSEC 80

FeaturesReusable/exchangeable componentsFlexible architecturePWList = passed & waiting list

Unified structure

Early terminationCheck property after successor computation, not when taking states from waiting list

18-11-2010 AFSEC 81

DelayInitial state pushed hereFuture operation + invariant

Delay


Accept? Dealloc

yes

noPWList

TransitionSuccessor

Trace

18-11-2010 AFSEC 82

Different algorithms (choice automatic)Correctness depends on which kind of constraints are usedBasic extrapolation:

Extrapolationmaxx

maxy

+ active clock reduction:if bound = -∞ then free clock

x

y maxx

maxy

x

y

ExtrapolationDelay Extrapolation Active clock reduction

Accept? Dealloc

yes

noPWList

TransitionSuccessor

Trace

18-11-2010 AFSEC 83

PWList

PWList = unified passed and waiting listAccept = add state if not included in passed + waiting statesIN: add state to passed + waiting listOUT: remove from waiting list

Accept?PWList


Accept? Dealloc

yes

noPWList

TransitionSuccessor

Trace

18-11-2010 AFSEC 84

Transition computes possible transitions, not states

Transition

Successor computes successor state

Successor

Possible resets+ variable updates

Transition &Successor


Accept? Dealloc

yes

noPWList

TransitionSuccessor

Trace

18-11-2010 AFSEC 85

Liveness Pipeline

Delay Extrapol.+act. clock red.

Transition

Successor

Trace

Initialstate

ExpressionDeadlocked?

Unbounded?

Accept?

Loop?

Passed

Stack

yes

yes

Waiting

18-11-2010 AFSEC 86

Leadsto Pipeline

Initialstate Reachability Liveness

p leadsto q

A[](p ⇒ A<> q)

18-11-2010 AFSEC 87

Hashtable

States

Passed list

Hashtable

Waiting queue

Searching:•pop state•hash•push to passed(inclusion check)•successor computation•hash•push to waiting queue(inclusion check)

2 hash tables2 inclusion checks1 queue

Standard Passed + Waiting Lists

18-11-2010 AFSEC 88

PWList

Hashtable

StatesUnified list

Waiting queue

Searching:•pop state reference•successor computation•hash•push to unified list(inclusion check) and appendstate reference

1 hash table1 inclusion check1 queue

18-11-2010 AFSEC 89

Active Clock Reduction

x is only active in location S1

x>3x<5

x:=0

x:=0

S

Clock x is inactive at S if on allpaths from S, x is always resetbefore being tested.

Definition

18-11-2010 AFSEC 90

Active Clock Reduction

x>3x<5

Sg1

gkg2r1

r2 rkS1

S2 Sk ( )

( ) ( )( )iii

ii

rClocksSAct

gClocksSAct

/ )(

U

U

U

=

Only save constraints onactive clocks.

Clock x is inactive at S if on allpaths from S, x is always resetbefore being tested.

Definition

18-11-2010 AFSEC 91

Data SharingKey idea: Working states different from stored states

Working states optimized for computationSymbolic state = discrete part (location+variables) + symbolic part (DBM).Stored states optimized for memoryStored state = <lockey,varkey,dbmkey>.

18-11-2010 AFSEC 92

Data Sharing

Location vector

Variables

DBM

Symbolic statefor computation

lockeyvarkeydbmkey

Symbolic statefor storage (PWList)

save

load

inclusion?

Discretestorage

Symbolicstorage

Sharing of data

~80% memory reduction.

Easy to change the implementationto favor speed over memory.

18-11-2010 AFSEC 93

Data SharingIn practice: 80% reduction.Easy to change storage implementation to favor speed or memory.

Compression of integer paired with minimal graphConvex hull is a special storage

18-11-2010 AFSEC 94

PWList & Sharing in Figures

[SPIN03]

18-11-2010 AFSEC 95

Symmetry Reduction

Exploitation of full symmetry may give factorial reduction.Many timed systems are inherently symmetric.Computation of canonical state representative using swaps.

[Formats 2003]

SWAP: 1 2 ; 3 4

18-11-2010 AFSEC 96

Symmetry Reduction

[Formats 2003]

18-11-2010 AFSEC 97

Support For SymmetryScalar set based symmetry reduction

typedef scalarset[4] pid_t;scalarset[n] = {0,…,n-1}int[0,4] = set of integersTemplate sets process P[i:pid_t](...) {(i)}Iterators for (i:pid_t) { a[i+1]=0 }

Quantifiers forall (i:int[0,4]) a[i+1]==0exists (i:int[0,4]) a[i+1]==1

Selection select i: int[0,4]; guard...

Martijn Henriks, Nijmegen U

18-11-2010 AFSEC 98

Re-using the State-space

Several properties to check:A[] prop1A[] prop2…Search in existing passed list (from previous checks) first.Expand missing states (not all states stored).

init

goal3Passed + Waiting List

Passed

goal1

goal2

18-11-2010 AFSEC 99

Virtual MachineExpressions (guards & actions) are compiled to bytecode and executed by a virtual machine.Stack machine, minimal instruction set, peep-hole optimization.Open the door to other optimizations or use of 3rd party VM.

Nips (Michael Weber): VM for Promela matches performance of Spin.

Verification Options

18-11-2010 AFSEC 101

Verification Options

Search OrderDepth FirstBreadth First

State Space ReductionNoneConservativeAggressive

State Space RepresentationDBMCompact FormUnder ApproximationOver Approximation

Diagnostic TraceSomeShortestFastest

18-11-2010 AFSEC 102

Conservative Reduction

Passed list is notneeded for terminationwhen there is no loop…

but useful forefficiency.

18-11-2010 AFSEC 103

Conservative Reduction

In case of loops,it is enough to storeloop entry points toensure termination.

Slight loss in efficiency,good gain in memory.

18-11-2010 AFSEC 104

Over-approximationConvex Hull

x

y

Convex Hull

1 3 5

1

3

5

TACAS04: An EXACT method performingas well as Convex Hull has been developed based on abstractions taking max constants into account.

18-11-2010 AFSEC 105

Under-approximationBitstate Hashing

Passed

Waiting Final

Init

PW

18-11-2010 AFSEC 106

Passed

Waiting Final

Init

PW 1

0

1

0

0

1

Hash function

1 bit perpassed state

Under-approx.Several statesmay collide onthe same bit.

Inclusion checkonly with

waiting states.“Equality” with

passed.

Bit Array

Under-approximationBitstate Hashing

18-11-2010 AFSEC 107

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1-x2<=4x2-x1<=10x3-x1<=2x2-x3<=2x0-x1<=3x3-x0<=5

x1 x2

x3x0

-4

10

22

5

3

x1 x2

x3x0

-4

4

22

5

3

x1 x2

x3x0

-4

22

3

3 -2 -2

1

ShortestPath

ClosureO(n^3)

ShortestPath

ReductionO(n^3) 3

Space worst O(n^2)practice O(n)

RTSS 1997

Compact RepresentationMinimal Constraint Form

Large gain in space.Small price in time.

Verificationoption “CDS”.

18-11-2010 AFSEC 108

Graph Reduction Algorithm

G: weighted graph1. Equivalence classes based

on 0-cycles.

18-11-2010 AFSEC 109


G: weighted graph1. Equivalence classes based

on 0-cycles.

2. Graph based onrepresentatives. Safe to remove redundant edges

18-11-2010 AFSEC 110


1. Equivalence classes basedon 0-cycles.

2. Graph based onrepresentatives. Safe to remove redundant edges

3. Shortest Path Reduction=

One cycle pr. class+

Removal of redundant edgesbetween classesCanonical given order of clocks

G: weighted graph

Modelling Patterns

18-11-2010 AFSEC 112

Variable ReductionReduce size of state space by explicitly resetting variables when they are not used!

Automatically performed for clock variables (active clock reduction)

18-11-2010 AFSEC 113

Synchronous Value Passing

18-11-2010 AFSEC 114

AtomicityLoops & complex control structures:C-functions.

To allow encoding of multicasting.

Committed locations.

18-11-2010 AFSEC 115

Bounded Liveness

Leads to within: φ ≤t ψMore efficient than leadsto:φ leadsto≤t ψ reduced toA□(b⇒z ≤ t) withbool b set to true and clockz reset when φ holds.When ψ holds set b to false.

≤ t

≤ t

18-11-2010 AFSEC 116

Bounded LivenessThe truth value of b indicates whether or not ψ should hold in the future.

φ

ψ

¬ψ

¬φ

b=truez=0

b=false

b true, check z ≤ t

b=false

A[] (b imply z ≤ t)E<> b (for meaningful check)

18-11-2010 AFSEC 117

Parametric timer:(re-)start(value)start! var=value

expired?active (bool)active go?(bool+urgent chan)time-out eventtimeout?

Declare ‘to’ with a tight range.

Timers

18-11-2010 AFSEC 118

Urgent Edges

Intent: take an edge as soon as it is enabled (without delay).

Condition on the edge, not the location.Solution limit: no clock constraint (yet).

x≤2

i==1 i==2

x==2

urgent

time-out

urgent chan go;

18-11-2010 AFSEC 119

ZenonessProblem: UPPAAL does not check for zenoness directly.

A model has “zeno” behavior if it can take an infinite amount of actions in finite time.That is usually not a desirable behavior in practice.Zeno models may wrongly conclude that some properties hold though they logically should not.Rarely taken into account.

Solution: Add an observer automata and check for non-zenoness, i.e., that time will always pass.

18-11-2010 AFSEC 120

Zenoness

x≤1 x≤1x=0

ZenoOK Detect by•adding theobserver:

Constant (10) can be anything(>0), but choose it well w.r.t.your model for efficiency.Clocks ‘x’ are local.

•and check the propertyZenoCheck.A --> ZenoCheck.B

x ≥ 1x==1

18-11-2010 AFSEC 121

Some PitfallsUnbounded integers

Model uses the full range.

Unsynchronized processesCombinatorial explosion.

Unused active variables specially in arrays

18-11-2010 AFSEC 122

Case-Studies: ControllersGearbox Controller [TACAS’98]

Bang & Olufsen Power Controller [RTPS’99,FTRTFT’2k]

SIDMAR Steel Production Plant [RTCSA’99, DSVV’2k]

Real-Time RCX Control-Programs [ECRTS’2k]

Experimental Batch Plant (2000)

RCX Production Cell (2000)

Terma, Memory Management for Radar (2001)

18-11-2010 AFSEC 123

Case Studies: Protocols

Philips Audio Protocol [HS’95, CAV’95, RTSS’95, CAV’96]Collision-Avoidance Protocol [SPIN’95]

Bounded Retransmission Protocol [TACAS’97]

Bang & Olufsen Audio/Video Protocol [RTSS’97]

TDMA Protocol [PRFTS’97]

Lip-Synchronization Protocol [FMICS’97]

Multimedia Streams [DSVIS’98]

ATM ABR Protocol [CAV’99]

ABB Fieldbus Protocol [ECRTS’2k]

IEEE 1394 Firewire Root Contention (2000)

End Part 1

Alexandre David Gerd Behrmann, Kim G. Larsen, Wang Yi Paul ...afsec.asr.cnrs.fr › wp-content ›...

Documents

Transcript of Alexandre David Gerd Behrmann, Kim G. Larsen, Wang Yi Paul ...afsec.asr.cnrs.fr › wp-content ›...